Пример #1
0
/**
 * tries to secure session from hijacking and fixation
 * should be called before login and after successful login
 * (only required if sensitive information stored in session)
 *
 * @return void
 */
function PMA_secureSession()
{
    // prevent session fixation and XSS
    if (session_status() === PHP_SESSION_ACTIVE) {
        session_regenerate_id(true);
    }
    PMA_generateToken();
}
Пример #2
0
$session_result = session_start();
if ($session_result !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors(false)) {
    setcookie($session_name, '', 1);
    $errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
    PMA_sessionFailed($errors);
}
unset($orig_error_count, $session_result);
/**
 * Disable setting of session cookies for further session_start() calls.
 */
@ini_set('session.use_cookies', 'true');
/**
 * Token which is used for authenticating access queries.
 * (we use "space PMA_token space" to prevent overwriting)
 */
if (!isset($_SESSION[' PMA_token '])) {
    PMA_generateToken();
    /**
     * Check for disk space on session storage by trying to write it.
     *
     * This seems to be most reliable approach to test if sessions are working,
     * otherwise the check would fail with custom session backends.
     */
    $orig_error_count = $GLOBALS['error_handler']->countErrors();
    session_write_close();
    if ($GLOBALS['error_handler']->countErrors() > $orig_error_count) {
        $errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
        PMA_sessionFailed($errors);
    }
    session_start();
}